Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 9 additions & 6 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,11 @@ jobs:
gleam-version: ${{ env.gleam }}
rebar3-version: ${{ env.rebar }}
- run: gleam test --target erlang
- run: gleam build --target erlang
- run: gleam run -m go_over -- --format sarif --sarif-output go-over.sarif --local
- run: python3 -c "import json; d=json.load(open('go-over.sarif')); assert d['version']=='2.1.0' and d['runs']"
- run: gleam run --target erlang -- --local --puller wget
- run: gleam run --target erlang -- --local --outdated
- run: gleam run --target erlang -- --local

windows-erlang:
#todo swap to 25 when setup-beam is fixed
Expand All @@ -59,7 +62,7 @@ jobs:
otp-version: ${{ env.otp }}
gleam-version: ${{ env.gleam }}
rebar3-version: ${{ env.rebar }}
- run: gleam run --target erlang -- --local --outdated
- run: gleam run --target erlang -- --local

windows-node:
#todo swap to 25 when setup-beam is fixed
Expand All @@ -80,7 +83,7 @@ jobs:
node-version: ${{ env.nodelts }}
cache: "npm"
- run: npm install
- run: gleam run --target javascript --runtime nodejs -- --local --outdated --puller curl
- run: gleam run --target javascript --runtime nodejs -- --local --puller curl

node:
runs-on: ubuntu-latest
Expand All @@ -106,7 +109,7 @@ jobs:
cache: "npm"
- run: npm install
- run: gleam test --target javascript --runtime nodejs
- run: gleam run --target javascript --runtime nodejs -- --local --outdated --puller ${{ matrix.puller }}
- run: gleam run --target javascript --runtime nodejs -- --local --puller ${{ matrix.puller }}

bun:
runs-on: ubuntu-latest
Expand All @@ -128,7 +131,7 @@ jobs:
- run: bun install
- run: gleam test --target javascript --runtime bun
- run: gleam run --target javascript --runtime bun -- --local --puller wget
- run: gleam run --target javascript --runtime bun -- --local --outdated
- run: gleam run --target javascript --runtime bun -- --local

deno:
runs-on: ubuntu-latest
Expand All @@ -150,4 +153,4 @@ jobs:
- run: deno install
- run: gleam test --target javascript --runtime deno
- run: gleam run --target javascript --runtime deno -- --local --puller wget
- run: gleam run --target javascript --runtime deno -- --local --outdated
- run: gleam run --target javascript --runtime deno -- --local
6 changes: 5 additions & 1 deletion .github/workflows/deps.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,11 @@ jobs:
gleam-version: ${{ env.gleam }}
rebar3-version: ${{ env.rebar }}
- run: gleam build
- run: gleam run -m go_over -- --outdated --local
- run: gleam run -m go_over -- --format sarif --sarif-output go-over.sarif --local
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: go-over.sarif
- run: gleam run -m go_over -- --outdated
# create an issue in the repo if there are
# outdated or vulnerable dependencies
- uses: jayqi/failed-build-issue-action@v1
Expand Down
26 changes: 26 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# Changelog

## 4.0.0

### Added

- `--format sarif` and `--sarif-output PATH` for GitHub Code Scanning
integration
- `--workspace [PATH]` to audit every Gleam project under a directory
- `--root PATH` to audit a single project outside the current directory
- `workspace_max_depth` config option (default: `3`) for workspace discovery
- Info-level warnings for unnecessary ignore rules, git dependencies, and
workspace projects skipped due to depth limits
- `--local` and `--global` flags (previously config-only)

### Changed

- Built-in outdated dependency checks removed from hex.pm metadata; `--outdated`
and `[go-over] outdated` now run `gleam deps outdated` instead (default:
`false`)
- `cache` config replaced by `force` (`cache = false` in v3 meant always
refresh; use `force = true` in v4)
- `--ignore-indirect` CLI flag removed; use `[go-over.ignore] indirect = true`
- CLI `--format` overrides per-project `[go-over] format` in workspace mode
- Advisories repository is cloned once per audit instead of per check
- Default `global` cache behavior unchanged (`true`)
95 changes: 70 additions & 25 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,10 @@
[![gleam js](https://img.shields.io/badge/%20gleam%20%E2%9C%A8-js%20%F0%9F%8C%B8-yellow)](https://gleam.run/news/v0.16-gleam-compiles-to-javascript/)
[![gleam erlang](https://img.shields.io/badge/erlang%20%E2%98%8E%EF%B8%8F-red?style=flat&label=gleam%20%E2%9C%A8)](https://gleam.run)

![logo](images/go-over-logo.png)

A tool to audit Erlang & Elixir dependencies, to make sure your ✨ gleam
projects really sparkle!

⚠️ Dependencies sourced directly from git or locally have limited support, only
checking for security advisories and not retirements or outdated versions
![logo](https://raw.githubusercontent.com/bwireman/go-over/main/images/go-over-logo.png)

# 🔽 Install

Expand Down Expand Up @@ -52,14 +49,25 @@ gleam run -m go_over

### 🏴 Flags

- `--format` Specify the output format of any warnings, [minimal, verbose, json]
(default: None)
- `--format` Specify the output format of any warnings, [minimal, detailed,
json, sarif] (default: None)
- `--sarif-output PATH` Write SARIF output to `PATH` instead of stdout (requires
`--format sarif`)
- `--puller` Specify the tool used to reach out to hex.pm, [native, curl, wget,
httpie] (default: None)
- `--force`: Force pulling new data even if the cached data is still valid
- `--outdated`: Additionally check if newer versions of dependencies exist
- `--ignore-indirect`: Ignore all warnings for indirect dependencies
- `--outdated`: **[deprecated]** runs `gleam deps outdated` instead — use that
command directly
- `--verbose`: Print progress as packages are checked
- `--root PATH`: Audit a single Gleam project at `PATH` (uses `PATH/gleam.toml`
and `PATH/manifest.toml`)
- `--workspace [PATH]`: Audit every Gleam project under `PATH` (default: `.`).
Finds directories containing both `gleam.toml` and `manifest.toml`. Each
project's own `[go-over]` settings apply during its audit. Set
`workspace_max_depth` in the scan root's `gleam.toml` to control discovery
depth (default: `3`).
- `--local`: Cache data in the project's `.go-over/` directory
- `--global`: Cache data in the user's home directory (shared across projects)
- `--help,-h`: Print help

Flags override config values if set
Expand All @@ -70,19 +78,22 @@ Optional settings that can be added to your project's `gleam.toml`

```toml
[go-over]
# disables caching if false
# default: true
cache = true
# force pulling new data even if cached data is still valid
# default: false
force = false
# maximum directory depth when scanning with --workspace (set on the scan root)
# default: 3
workspace_max_depth = 3
# if true all cached data will be stored in user's home directory
# allowing cache to be shared between projects
# default: true
global = true
# sets output format for warnings ["minimal", "detailed", "json"]
# sets output format for warnings ["minimal", "detailed", "json", "sarif"]
# default: "minimal"
format = "minimal"
# will additionally check if newer versions of dependencies exist
# default: true
outdated = true
# [deprecated] runs `gleam deps outdated` — use that command directly instead
# default: false
outdated = false
# tool used to pull information from hex.pm ["native", "curl", "wget", "httpie"]
# default: "curl" for JS and "native" for Erlang
puller = "curl"
Expand Down Expand Up @@ -129,27 +140,61 @@ actions = [

## ⚙️ CI

You can also schedule daily runs to keep your deps up to date and open issues
when necessary!
You can schedule daily runs to keep your deps up to date and open issues when
necessary!
[Example ▶️](https://github.com/bwireman/go-over/blob/main/.github/workflows/deps.yml)

# 🖌️ Other Art
```yaml
- run: gleam run -m go_over -- --local
```

### SARIF output (GitHub Code Scanning)

Use `--format sarif` to emit a
[SARIF 2.1.0](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning)
log suitable for GitHub's code scanning upload action:

```yaml
- run: gleam build
- run: gleam run -m go_over -- --format sarif --sarif-output go-over.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: go-over.sarif
```

By default SARIF is written to stdout. Use `--sarif-output` to write directly to
a file instead of shell redirection. Run `gleam build` first so compile output
does not mix into stdout. Info-level notices (unnecessary ignores, skipped
workspace projects, git dependencies) are included as SARIF `note` results.

You can validate SARIF output against GitHub ingestion rules at
https://sarifweb.azurewebsites.net/Validation.

In workspace mode (`--workspace`), each Gleam project appears as a separate run
in the SARIF document. Pass `--format` on the CLI to use one format for every
project; otherwise each project's `[go-over] format` must match.

## Upgrading to v4

See [CHANGELOG.md](CHANGELOG.md) for breaking changes from v3.

# Other Art

- As I'm sure is no surprise this tool is inspired by (and all around worse
than) [mirego/mix_audit](https://github.com/mirego/mix_audit). Please check it
out!
- It also draws inspiration from
[mix hex.audit](https://hexdocs.pm/hex/Mix.Tasks.Hex.Audit.html)

# ⚖️ License
# License

- This tool uses
[mirego/elixir-security-advisories](https://github.com/mirego/elixir-security-advisories)
which is it self licensed with
This tool uses
[mirego/elixir-security-advisories](https://github.com/mirego/elixir-security-advisories)
which is it self licensed with

- `BSD-3-Clause license`
- `CC-BY 4.0 open source license`.
- `BSD-3-Clause`
- `CC-BY 4.0 open source`
- See their
[#license section](https://github.com/mirego/elixir-security-advisories?tab=readme-ov-file#license)

- Code original to this repo is Licensed under `MIT`
Code original to this repo is Licensed under `MIT`

This file was deleted.

This file was deleted.

This file was deleted.

This file was deleted.

This file was deleted.

This file was deleted.

This file was deleted.

22 changes: 0 additions & 22 deletions birdie_snapshots/erlang@spin_up_test@ignore_indirect.accepted

This file was deleted.

Loading
Loading